LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 06-19-2005, 09:56 PM   #1
FBergeron
LQ Newbie
 
Registered: Jan 2005
Location: Nagoya, Japan
Distribution: Debian
Posts: 2

Rep: Reputation: 0
SMIME certificate renewal


I've made my own Certificate Authority (using openssl) and have used a SMIME certificate for one year for my mail. I've received some encrypted messages since and I could decrypt them with my certificate (using mutt and openssl).

However, my certificate has expired lately. I've renewed it (or so I think). And it works fine again except that I still need my old certificate to read (to decrypt) messages encrypted with the previous certificate.

Is it the expected behavior or should I be able to decrypt old and new messages with my renewed certificate? Do I really have to keep old certificate to decrypt old messages? If it's the case, that would mean that in ten years, I will have 10 to keep 10 certificates... It looks wrong.

Here are the commands that I did to renew my certificate :

1) I've recreated a certificate request from my public/private keys :

Code:
openssl x509 -x509toreq -in newcerts/01.pem -out newreq.pem -signkey private/fbergero.pem
2) I signed this certificate request by my own Certificate Authority :

Code:
openssl ca -config openssl.cnf -policy policy_anything -out fbergero2.pem -infiles newreq.pem
3) I've created a p12 file to import my new certificate into my mail agent :

Code:
openssl pkcs12 -export -in fbergero2.pem -inkey private/fbergero.pem -certfile cacert.pem -out private/fbergero2.p12 -name "FBergero"
4) I've imported the certificate into my mail agent :

Code:
smime_keys add_p12 fbergero2.p12
So now, I have 2 certificates that I can use in my mail agent (mutt) : ca39367a.0 and ca39367a.1. With ca39367a.0, I can decrypt old messages and with ca39367a.1, I decrypt new messages.

Is it right?
 
Old 06-20-2005, 10:51 AM   #2
FBergeron
LQ Newbie
 
Registered: Jan 2005
Location: Nagoya, Japan
Distribution: Debian
Posts: 2

Original Poster
Rep: Reputation: 0
Answer

I will answer my own question for the benefit of other readers.

After some searching, I found that it is the expected behavior. It's possible to extend the validation of an old certificate with some tweaking with openssl but this is not standard and not recommended.

The renewal of a SMIME certificate creates, in fact, a new certificate with a different serial number and a different timespan. To allow a Mail User Agent to read previously encrypted messages, we have to keep the expired certificates.

I found all this information in this thread of the openssl's mailing-list archive :

http://marc.theaimsgroup.com/?l=open...1756127268&w=1
 
Old 03-29-2019, 12:43 PM   #3
Frack
LQ Newbie
 
Registered: Mar 2019
Posts: 1

Rep: Reputation: Disabled
Thumbs up ありがとう

Quote:
Originally Posted by FBergeron View Post
I will answer my own question for the benefit of other readers.
Thanks a lot for your summary!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
dhcp renewal question avirup dasgupta Linux - Networking 3 11-13-2005 07:02 PM
dhcp renewal Gollum78 Ubuntu 2 10-15-2005 05:43 AM
Re-run IPTables script after Lease Renewal Spotnik Linux - Networking 4 02-01-2004 08:11 AM
DHCP Renewal Problem MrSmith Linux - Networking 2 03-29-2003 04:20 PM
IP Address renewal.. sancho5 Linux - Networking 2 11-23-2001 09:18 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 09:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration